Archive for March, 2017

On March 15, 2017, New Mexico’s Senate passed H.B. 15, the Data Breach Notification Act, making New Mexico the 48th state to pass a data breach notification law. The law, if signed by the governor, would provide New Mexico’s two million residents protections similar to those provided is many other states. Although they adopted the common definition for PII, New Mexico’s legislature declined to follow recent trends of expanding the definition of PII to include usernames or email addresses in combination with passwords and answers to security questions.

When a breach affecting New Mexico residents occurs, notification must be made no later than 30 days following discovery of the breach, except where “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.” In the event more than 1,000 New Mexico residents are affected, you must also provide notice to the office of New Mexico’s attorney general and the major consumer reporting agencies. If the breach involves credit card or debit card numbers, notice must also be provided to each merchant services provider to which the credit card or debit card number was transmitted within ten days of discovery of the breach.

Similar to other jurisdictions, the New Mexico legislature did not provide its citizens with a private right of action, rather it provides the state’s attorney general the right to bring legal actions on behalf of affected individuals. Courts may issue an injunction or award damages for actual losses including consequential financial losses. For knowingly or recklessly violating the Act, the Court may also impose civil penalties of $25,000, or in the case of a failure to notify, a penalty of $10 per instance up to a maximum penalty of $150,000.

New Mexico Governor Susana Martinez has until April 7, 2017 to sign the act into law. If signed into law, New Mexico would leave Alabama and South Dakota as the only states with no security breach laws, although the Alabama legislature has introduced a similar bill for consideration.

The passage of this new statute underscores the importance of staying up-to-date with your state’s data breach statutes and having a data breach response plan in place. The Cyber, Data Security, and Privacy practice group attorneys are here to assist you in navigating the intricacies of each states’ data protection statutes.

Please contact Jonathan Romvary at [email protected] if you have any questions regarding how this law or any state’s data breach statutes may affect you.

While the national media is focused on President Trump’s appointees for positions such as Labor Secretary and the Supreme Court, Georgia employers may not realize that President Trump has the opportunity to make a direct impact on the Georgia legal scene.

There are several vacant positions on the Georgia federal bench that will likely be filled by President Trump’s nominees at some point in the future. As of March 31, the Northern District of Georgia has two vacancies, while the Middle and Southern District have one vacancy each. Like Supreme Court justices, the president nominates individuals to fill those open federal judgeships, subject to confirmation by the Senate.

Why does this matter to Georgia employers? In the unfortunate event your company is sued by a current or former employee for violations of federal employment laws, the case will likely be heard in federal court by federal judges. Georgia employers should keep an eye on who is nominated to these vacant federal judgeships as these judges could be ruling on your case in the event you are sued by an employee. We will keep you updated as more information comes available about potential nominees.

When people think of insurance fraud, they likely imagine someone intentionally causing a loss in order to receive policy proceeds, but most insurance policies do not limit a carrier’s right to deny coverage or void the policy to fraud alone. Rather, all kinds of policies (homeowner, commercial general liability, and more) often include in their fraud-related provisions misrepresentation of a material fact as well. But what constitutes a “material misrepresentation” exactly? The answer, of course, depends on which state law applies.

Take for example an insurance carrier that filed an action in California, asking the federal district court to declare that there was no coverage under a cyber liability policy because, among other reasons, the insured had represented in its policy application that its medical records system had certain security measures in place to protect personally identifiable information and other sensitive data while, allegedly, patient information was accessible online with no encryption.

Although the court did not make a ruling on this issue, incorrect statements that are made by an insured in a policy application, even if unintentional, are very likely to support rescinding and voiding the policy ab initio (from its inception) under California law. This is because California’s test for materiality is the effect which truthful answers would have had upon the carrier in its evaluation of risk (such as requiring additional underwriting or charging additional premium): the fact that the carrier requires answers to specific questions in an application for insurance is usually in itself sufficient to establish the materiality as a matter of law.

The rule under Georgia law is a similar one, although from a more clearly objective standpoint: A material misrepresentation is one that would influence a prudent insurer in determining the nature, extent, or character of the risk and whether or not to accept it or fix a different amount of premium. And a Georgia statute sets forth specifically that all that is required in a policy application to give grounds to deny or rescind is a material misrepresentation, omission, concealment or incorrect statement (as opposed to proof of intent to defraud).

Going back to our example, the data security measures implemented by the insured would likely be material under Georgia law by increasing or decreasing the risk assessed by a prudent carrier of a cyber liability policy, such that any incorrect statement in the application as to those measures could entitle a carrier to deny or rescind. Under California law, since this carrier alleged it actually asked the insured in the application about checking for security patches, replacing factory default settings, etc., the insured’s responses would likely be found material as a matter of law.

Again, the meaning of material misrepresentation can involve other inquiries depending on the applicable law, such as proof of actual reliance by the carrier on that representation or other prejudice to the carrier, so when faced with a potential false statement or omission, a carrier should seek counsel to determine which state law(s) could be applicable.

Recently, there has been a movement in the snow and ice management industry to reduce the ability of contracting parties to transfer risk in the service contracts through indemnification clauses. To that end, there are anti-indemnification bills in various stages of the legislative process throughout the country. The Snow Removal Service Liability Limitation Act has passed in Illinois and been signed into law by the Governor. The Act provides that it is against public policy and void for a snow and ice removal contract to require a snow and ice management contractor or customer to: (1) indemnify the other for their own negligence; (2) hold the other harmless for their own negligence; or (3) impose a duty to defend the other for their own negligence. Similar legislation is pending in other states, including in Michigan, Wisconsin, Indiana, New York, New Jersey, and Pennsylvania. The New Jersey bill has already passed the Senate and is awaiting a vote in the House of Representatives. The Pennsylvania bill is in Committee, and testimony has been provided on the bill by our own Josh Ferguson.

The Accredited Snow Contractors Association has noted several anticipated benefits to this legislation for the snow and ice management contractors. First, prohibiting transfer of contractual defense and indemnity for a property owner or manager’s own negligence, the property owner and/or manager has their own interest in insuring the roadways and sidewalks are adequately treated. Additionally, a potential side effect this statute could have is lowering ever increasing insurance premiums for snow and ice removal contractors by avoiding those tenders of defense and indemnity.

The FMLA allows qualified employees to take 12 weeks of unpaid, job-protected leave per year for medical reasons or to care for sick family members. Once an employee’s leave period end, that person must be returned to the same job the worker held before, or to a virtually identical position. FMLA’s allowance for intermittent leave, or shorter, less predictable absences, often presents issues for employers.

Some employees may arrange a reduced schedule because of foreseeable medical treatment such as chemotherapy treatments every Wednesday. Employers can plan ahead to cover the time taken off by the employee in these situations. All medical conditions, however, do not follow a schedule. For example, employees who suffer from asthma are permitted to take FMLA leave when their conditions flare up, which often leaves employers with little to no advance notice either that the employee will miss work or when the employee will return to work.

Employers can avoid common mistakes in dealing with periodic FMLA absences through effective administration and record-keeping. When an employee makes a request for leave under the FMLA, that person must obtain a medical certification stating that leave is required. Once a request is granted, the onus is on the employer to ensure that the leave is carried out correctly, which requires the employer to track the amount of time a worker takes. If an employer doesn’t track leave time properly, it may mistakenly advise an employee that leave may be taken, which opens the employer up to legal claims.

Another common mistake made by employers is not knowing an absence is covered. While continuous leave periods are often associated with a significant event such as major surgery, intermittent absences can start out appearing much more benign. For example, an employee may take a day or two off for a relatively minor procedure, but if a complication arises, the employee could be out of work for a few extra days and additional days from time to time after that. Recognition is often a problem for an employer because not every absence starts out as FMLA. Such intermittent leave is allowed under the FMLA, and employers must make it a priority to maintain proper FMLA documents and paperwork documenting the employee’s absences.

A third mistake often made by employers in handling intermittent FMLA leave is failing to investigate questionable absences. If an employer receives a tip concerning possible fraudulent behavior, the employer should make every effort to investigate such behavior. A classic example of suspicious activity is an employee whose unpredictable medical condition has a tendency to flare up on Fridays or Mondays, resulting in the employee consistently taking three-day weekends. An employer can prevent such abuse by completing at the start a sufficient certification of an employee’s need to leave. When there is reason to doubt the initial certification, the employer has the right to request a second opinion. If any questionable activity by the employee begins to take place during the leave period, the FMLA permits requesting recertification to ensure an employee’s leave is still needed.